Researchers at the University of Illinois and the Advanced Digital Sciences Center in Singapore have developed a tool that allows security analysts to make practical and informed decisions about the security of their critical infrastructure system, such as a smart power grid. The tool, Cyber Security Argument Graph Evaluation (CyberSAGE), allows users to map their system’s workflow and model failure scenarios to see how their system holds up against potential attacks.

For example, on a power grid, there are a variety of potential cyber failures, such as a loss of automatic control or wireless network complications, but system operators don’t always know how the failures will affect their specific system until it happens. By modeling failure scenarios, such as the NESCOR scenarios from the Electric Power Research Institute (EPRI) in the United States, and linking them with the concrete system models and attacker models, CyberSAGE gives the practitioners a holistic view of how a cyber-attack-induced failure can happen and where are the key places to put more security controls.

“We need to have a way to determine whether a particular system design is more secure or resilient than another design,” said William Sanders, head of the University of Illinois' electrical and computer engineering department, ADSC faculty member and project co-PI. “There are several other cyber security assessment tools that provide overall assessments, but what CyberSAGE does is take input from a variety of sources, such as NESCOR and other models, to provide a more complete assessment.”

The project, which is funded through A*STAR, is led by University of Illinois and ADSC faculty members, including Sanders, Zbigniew Kalbarczyk and David Nicol, as well as ADSC’s David Yau. More recently, the framework and software developed under that project are also being applied in the SecUTS project, funded by Singapore’s National Research Foundation, which takes a cyber-physical approach to securing urban transportation systems.

The team began creating the framework for CyberSAGE in 2013, and there have been three major rounds of design iterations for the software since the beginning. The main developers for the latest version of the software include ADSC Senior Software Engineer Prageeth Gunathilaka, who is the architect of the latest version of CyberSAGE, ADSC Software Engineer Li Yuan, and ADSC’s former Senior Software Engineer Sumeet Jauhar. The research team is currently working on a fourth that further enhances the software’s usability and scalability, and they hope to add a real-time component in the future to allow the assessment result to change as system conditions evolve. The tool was developed for use on the power grid, but has since been applied to study metro systems. The team has also received interest from companies working with maritime and offshore systems and manufacturing and automation systems as well.

CyberSAGE is free for academic use and has six academic users from the U.S. and Europe. Recently, two companies are also testing the software on a trial basis, and the researchers recently signed a commercial licensing agreement with a multinational electronics corporation for use of the software.

“The key to the development of any of these tools is to have test cases from real practitioners,” Sanders said. “By working together with these companies, we can not only help them make their products more resilient and secure, but to make our tool better as well.”

The current tool combines a lot of information from different silos, including knowledge from security consultants who excel at knowing the threats and attacker’s behavior, along with system administrators or IT operators who know the IT systems and how devices connect, and specific domain knowledge regarding traditional operational scenarios or workflows in that specific field.

“Combining this information was a challenge because we wanted to provide a better way to look at the security of a whole system, but often information in these different domains isn’t shared between the silos,” said ADSC Senior Research Scientist Binbin Chen, who is the local lead of the CyberSAGE team in Singapore. “We had to spend time finding out how to do that in an intuitive and scalable manner.”

After users map their system into the offline tool, they can run a few dozens of failure scenarios to see how their system holds up to different attacks. As security results are difficult to assign a value to, the researchers encourage users to interpret the results in a comparative manner, rather than an absolute manner. While quantifying security is a controversial academic topic, the team advises users to walk in the middle, by not reading too much into the values, but rather comparing the scores, probability or improvement values and making informed decisions on those evaluations.

“There are a lot of papers that propose a risk assessment process. It is easy to sit and write about a hypothetical process, but it’s harder to get other researchers or practitioners to care about the process, use it and understand it,” said ADSC Senior Research Engineer William Temple, who leads an effort to apply the CyberSAGE tool in the security assessment of urban transportation systems. “Building a tool that implements our process was the key to making it easy for industry people to have interest in it and want to use it.”